Next: How to React to
Up: Denial Of Service
Previous: Concurrency problems
When dealing with denial of service via resource exhaustion, you are
faced with two problems: how to detect the attack (before your system
goes catatonic, that is), and how to react.
XXX: draft only
- Resource metering (network rate limiting, memory consumption,
number of processes)
- Choose proper limits.
- You can also use dynamic resource limits based on system load.
Current system load is available through the function
getloadavg on BSD and on Linux systems.
- Set hard resource limits as a last resort.
If you exceed one of these limits, your application will receive
a signal and exits. This is a condition that a functioning
system can deal with gracefully (e.g. by restarting the service
with a clean slate). The only way to deal with a wedged system
is manual intervention (usually by hitting the red button
and keeping your fingers crossed that the file system check will
go through).
Olaf Kirch
2002-01-16